It seems the thing to do in detection now-a-days is to sweep the network looking for bad guys by collecting data off individual computers in the network. For example, running various WMIC queries across a domain; with a domain admin account. But as you guys know, that's apparently not a good idea with Windows storing password hashes and even clear text passwords in memory. So how can those responsible for finding compromised boxes avoid giving attackers domain admin?

For something like the scenario you mentioned, you should create a group that only has the permissions necessary to perform WMIC queries (or whatever it is you need to do). Then, create restricted user accounts and add them to that group as necessary. You don't need to be a domain admin to perform those types of activities. It's just easy and convenient to use domain admins for everything, and people are lazy.